Microsoft Adds More Group and Browser Controls to Azure AD

After being in preview since last August, the new group expiration policy feature is now generally available. Policies specifying how long groups should exist can be set in days from the Azure AD Portal or by using Azure AD PowerShell. It's possible to set policies for some groups or for all groups.

There's one catch: Organizations need to have Azure AD Premium subscriptions in place to use this feature. That's true for "all members of the groups to which the expiration policy is applied," according to Microsoft's documentation.

Under the group expiration policies scheme, end users who are group owners get sent a series of notifications automatically before a group is set to expire expire. The notifications arrive "30 days, 15 days and 1 day" before the group's end date, giving owners the option to keep or delete the group. The group gets deleted automatically if there's no response, but group owners will receive another notification letting them know it was deleted. Group owners and Office 365 account administrators have 30 days from the group's termination date to restore a group.

There's an exception for groups where there's a legal hold in place, as those groups don't get deleted. The content of groups will still be accessible via e-discovery if retention policies were set using the Security and Compliance Center.

Office 365 end users can create groups unless they've been restricted beforehand by IT pros, typically through the creation of "security groups," as described in this documentation. The creation of an Office 365 group will automatically provision a SharePoint site, a Yammer group, an Outlook mailbox, OneNote and a chat space in Microsoft Teams, which are all managed via Azure AD. Deleting a group should get rid of all of those services that get automatically created with a group, according to a FAQ published by AvePoint, a Microsoft partner that offers Office 365 governance support.

Managed Browser Support
In other Azure AD news, the "managed browser" that's used with Microsoft Intune, Microsoft's mobile management service, can now use single sign-on and conditional access Azure AD capabilities, Microsoft announced last week. The Intune managed browser is a downloadable application for devices that follows policies set by Intune.

The single sign-on access feature for the managed browser app permits easier access by end users to all Azure AD-managed applications, both online and on-premises. It works with Android and iOS devices.

The conditional access capability for the Intune managed browser adds the ability to restrict access to organizational information, based on browser use. For instance, it's possible to block access to resources "from any other unprotected browsers like Safari or Chrome," Microsoft's announcement explained. When end users try to use those browsers, they'll get directed to use the Intune managed browser instead. The conditional access capability works across Office 365 services, as well as for "on-premises sites that you have exposed via the Azure AD Application Proxy" service, the announcement added.